Subject: Re: authentication systems (.NET, .GNU): Its the desktop, dummy.
From: Ian Lance Taylor <>
Date: 13 Sep 2001 01:01:40 -0700

Tom Lord <> writes:

>        I believe it would be clearly beneficial to have a single
>        secure authentication system, one which permitted a single
>        password for a limited number of roles, one in which each site
>        which used the authentication system clearly stated in a
>        verifiable manner which items of information that site would
>        use, and one which permitted easy use of stored credit card
>        information without having the credit card information stored
>        in many locations around the net.
>        [....] I think that Passport has a clear role in the
>        marketplace.
> Standards for forms that request the usual array of secure
> information, combined with some smarts in browsers, can satisfy most
> of your requirements.
> Standards for exchanging credit card information in a form that
> permits only one-time, vendor and amount-specific use can satisfy the
> rest.
> Secure, application-independent, on-line data storage can provide
> device and location independence, if and when that is something lots
> of people want.
> No authentication service is needed -- merely incremental improvements
> to the way things already work.

I think that once you get to on-line data storage, what you have
described is more work than an authentication service.

I happen to think that an authentication service--or, I should say, a
standardized interface to an extensible set of authentication
services--is philosophically correct.  The Internet should be able to
provide services beyond the simple carriage of data.

So while I don't think there is anything wrong with your suggestions,
I don't see the point.